Chapter 3:

RISK ASSESSMENT & AUDIT PLANNING

1
 Learning objectives
CL02
Explain the benefits and factors that affect internal control
Explain main audit terminologies and audit procedures.
CL03
Understand internal control to assess risks of material
misstatement, and audit risk to focus the audit on
significant areas
CL04
• Identify factors that affect audit planning;
• Resolve practical audit scenarios

2
 Learning materials
Textbook
[1] Arens, A.A., Beasley, M.S., Elder, R.J. (2020). Auditing and
Assurance services – an integrated approach (17 th ed.).
Pearson. (Chapter 8 & Chapter 9)
Other materials
[2] Bộ môn Kiểm toán – Đại học kinh tế TP.HCM. (2019). Kiểm
toán.NXB Lao Động Xã Hội.
[3] Trần Thị Hải Vân & cộng sự. (2016). Tài liệu tham khảo
Kiểm toán - Tập 1 (Kiểm toán căn bản). Đại học Ngân hàng
TP.HCM (Lưu hành nội bộ).

3
 Requirements

Students need to read relevant materials, and focus on

the following requirements:
1. Distinguish audit risk, inherent risk, control risk,
and detection risk.
2. Explain the audit risk model
3. Illustrate the application of materiality in an audit
process
4. Explain the benefits of audit planning and audit
documentation
 Content
3.1. Risk assessment
3.1.1. Audit risk
3.1.2 . Business risk
3.1.3. Risk of fraud
3.2 Determination of materiality
3.3.1. Definition
3.3.2. Materiality for the FS as whole
3.3.3. Performance materiality
3.3 Overall audit strategy and audit plan
3.3.1. The overall audit strategy
3.3.2. Audit plan
3.4 Audit documentation
3.4.1. Permanent file
3.4.2. Current file
5
 AUDIT PROCESS
Plan and design Perform audit Complete the audit &
an audit approach tests issue an audit report

- Audit contract
- Understand internal
control
- Determine the level - Tests of control - Audit completing
of materiality and audit - Substantive Tests - Audit report
risk assessments
- Finalise audit strategy
and audit plan

6
6
 3.1. Risk assessment
The risk assessment procedures shall include the following:
(a) Inquiries of management, and of others within the entity
who in the auditor’s judgment may have information that is
likely to assist in identifying risks of material misstatement
due to fraud or error
(b) Analytical procedures.
(c) Observation and inspection.

NHB-2010 7
3.1.1. Audit risk
ISA 200

Audit risk is the risk that the auditor

expresses an inappropriate audit opinion
when the financial statements are
materially misstated.

8
 3.1.1. Audit risk
ISA 200

A u d i t r i s k i s a f u n c t i o n o f t h e r i s k s o f m a te r i a l
misstatement and detection risk
Risk of material misstatement: The risk that the financial
statements are materially misstated prior to audit. This
consists of two components, described as follows at the
assertion level: inherent risk and control risk

9
 3.1.1. Audit risk
Impacting factors
Inherent risk
Financial statements as a whole
The susceptibility of an •Managers’ integrity
assertion about a class of •Managers’ experience and
transaction, account
competences
balance or disclosure to a
misstatement that could •Abnormal pressure
be material, either •Business risk
individually or when Assertion level
aggregated with other •Sensitivity of account balances
misstatements, before
•Complexity of transactions
consideration of any
related controls •Estimation
•Sensitivity of assets 10
 3.1.1. Audit risk
Control risk Impacting factors

The risk that a misstatement qWeak control environment

that could occur in an assertion
qLack of control activities
about a class of transaction,
account balance or disclosure qIneffective control activities
and that could be material,
either individually or when
aggregated with other
misstatements, will not be
prevented, or detected and
corrected, on a timely basis by
the entity’s internal control
11
 3.1.1. Audit risk
Detection risk Impacting factors

The risk that the procedures • Timing of substantive procedures

performed by the auditor to • Nature of substantive
reduce audit risk to an procedures
acceptably low level will not
• Extent of substantive procedures
detect a misstatement that
exists and that could be
material, either individually or
when aggregated with other
misstatements.
3.1.1. Audit risk

Inherent risk
(VSA200 -13n)
Control risk
(VSA200 -13n)
Detection risk
(VSA200 -13)

13
 3.1.1. Audit risk

Inherent Risk
Risk of material misstatement –
“belong to client”
Control Risk Auditor assess this risk

‘Risk of Auditor’
Detection Risk
Auditor control this risk

14
 3.1.1. Audit risk

Audit risk model

Inherent Control Detection

Audit risk =
Risk
x x
Risk
Risk

Risk of material misstatement

Audit risk
Detection
=
Risk Inherent Control
x
Risk Risk

15
 3.1.1. Audit risk
Audit Risk Matrix

Control Risk

High Medium Low

High Lowest Low Medium

Inherent Medium
Low Medium High
Risk
Low Medium High Highest
 3.1.1. Audit risk

Audit risk and audit procedures

Audit evidence obtained using audit procedures

Using substantive
procedures

Using test of
control

17
 3.1.1. Audit risk

Audit risk and audit procedures

Audit evidence obtained using audit procedures

Inherent Risk Control Control Risk Audit evidence
activities
Using substantive
procedures

Using test of
control

18
 3.1.1. Audit risk

Audit risk and audit procedures

Audit evidence obtained using audit procedures

Inherent Risk Control Control Risk Audit evidence
activities
Using substantive
procedures

Using test of
control

19
 3.1.1. Audit risk

Audit risk and audit procedures

Audit evidence obtained using audit procedures

Inherent Risk Control Control Risk Audit evidence
activities
Using substantive
procedures

Using test of
control

20
 3.1.1. Audit risk

Audit Risk

Overall FS level Assertion level

(RoMM) (RoMM+ DR)

Inherent Inherent Detection

Control Risk Control Risk
Risk Risk Risk

Non-sampling
Sampling Risk
Risk
2
1
3.1.2. Business risks

ISA 315

A risk resulting from significant conditions,

events, circumstances, actions or inactions that
could adversely affect an entity’s ability to
achieve its objectives and execute its strategies,
or from the setting of inappropriate objectives
and strategies.

22
 3.1 Risk assessment
3.1.2. Business risks
ISA 315

An understanding of the business risks facing the entity

increases the likelihood of identifying risks of material
misstatement, since most business risks will eventually
have financial consequences and, therefore, an effect on
the financial statements.

However, the auditor does not have a responsibility to

identify or assess all business risks because not all
business risks give rise to risks of material misstatement

23
 3.1.2. Business risks
ISA 315

The entity’s objectives and strategies, and those related

business risks that may result in risks of material misstatement

The auditor shall obtain an understanding of whether the entity

has a process for:
(a) Identifying business risks relevant to financial reporting
objectives;
(b) Estimating the significance of the risks;
(c) Assessing the likelihood of their occurrence;
(d) Deciding about actions to address those risks.

24
 3.1.2. Business risks
ISA 315

Business risk may arise, for example, from:

• The development of new products or services that may fail;
• A market which, even if successfully developed, is
inadequate to support a product or service; or
• Flaws in a product or service that may result in liabilities and
reputational risk.

25
 3.1.2. Business risks
ISA 315

Examples of matters that the auditor may consider include:

• Industry developments
• New products and services
• Expansion of the business
• New accounting requirements
• Regulatory requirements
• Current and prospective financing
• The use of IT
• The effects of implementing a strategy, particularly any
effects that will lead to new accounting requirements

26
 3.1.3. Risk of fraud
ISA 240

Fraud – An intentional act by one or more individuals among

management, those charged with governance, employees, or
third parties, involving the use of deception to obtain an
unjust or illegal advantage

The auditor is concerned with fraud that causes a material

misstatement in the financial statements. Two types of
intentional misstatements are relevant to the auditor –
misstatements resulting from fraudulent financial reporting
and misstatements resulting from misappropriation of assets
27
 3.1.3 Risk of fraud
ISA 240

The objectives of the auditor are:

(a) To identify and assess the risks of material misstatement of
the financial statements due to fraud;
(b) To obtain sufficient appropriate audit evidence regarding
the assessed risks of material misstatement due to fraud,
through designing and implementing appropriate
responses; and
(c) To respond appropriately to fraud or suspected fraud
identified during the audit.

28
3.2. Determination of materiality
3.2.1. Definition

M i s sta te m e nt s , i n c l u d i n g o m i s s i o n s , a re
considered to be material if they, individually or
in the aggregate, could reasonably be expected to
influence the economic decisions of users taken
on the basis of the financial statements

ISA 320

29
 3.2. Determination of materiality
3.2.1. Definition
The concept of materiality is applied by the auditor both in
planning and performing the audit, and in evaluating the effect of
identified misstatements on the audit and of uncorrected
misstatements, if any, on the financial statements and in forming
the opinion in the auditor’s report

-Consider the size or nature of a misstatement, or a

combination of both
- Consider the common financial information needs
of users as a group.

30
 3.2. Determination of materiality
3.2.2. Overall Materiality
Determining materiality for the Financial Statements (FS) as a whole:
Overall Materiality = Benchmark x Percentage %
Determination of benchmark is usually base on the following
elements of financial statements:
- Earning before tax,
- Total revenue,
- Gross profit
- Expenses,
- Equity
- Net assets.
31
3.2. Determination of materiality
3.2.2. Overall Materiality
Determining a percentage to be applied to a chosen
benchmark :
§ The exercise of professional judgment.
§ Determined percentage affects nature, timing and
extent of further audit procedures.

32
 3.2. Determination of materiality
3.2.2. Overall Materiality
There are 4 ways of applying percentage into
determination of materiality:
• Unique percentage;
• Range of percentage, according to the size of client
• Average method: taking average of 3-4 results from
different rules applied unique percentage
• Available formula

33
 3.2. Determination of materiality
3.2.2. Overall Materiality

There are some accepted percentages in audit

context
5% to 10% EBT (Earning before tax),
1% to 2% total asset,
1% to 5% equity,
0.5% to 1% revenue.

34
 3.2. Determination of materiality
3.2.3. Performance materiality
Performance materiality means the amount or amounts set by
the auditor at less than materiality for the financial statements
as a whole to reduce to an appropriately low level the
probability that the aggregate of uncorrected and undetected
misstatements exceeds materiality for the financial statements
as a whole.
• Allocated by professional judgment.
• 50% to 75% Materiality for the Financial Statements as a
whole with the auditor’s professional prudent.

35
 3.2. Determination of materiality
3.2.3. Performance materiality

If applicable, performance materiality also refers

to the amount or amounts set by the auditor at
less than the materiality level or levels for
particular classes of transactions, account
balances or disclosures

36
 3.2. Determination of materiality
3.2.3. Performance materiality

If, in the specific circumstances of the entity, there is one

or more particular classes of transactions, account
balances or disclosures for which misstatements of lesser
amounts than materiality for the financial statements as a
whole could reasonably be expected to influence the
economic decisions of users taken on the basis of the
financial statements, the auditor shall also determine the
materiality level or levels to be applied to those particular
classes of transactions, account balances or disclosures

37
 3.2. Determination of materiality
3.2.3. Performance materiality

Determination of materiality when planning the audit:

§ When establishing the overall audit strategy, the auditor
shall determine materiality for the financial statements as a
whole and the materiality levels to be applied to particular
classes of transactions, account balances or disclosures
§ The auditor shall determine performance materiality for
purposes of assessing the risks of material misstatement
and determining the nature, timing and extent of further
audit procedures

38
 3.2. Determination of materiality
3.2.3. Performance materiality
Revision as the Audit Progresses
• The auditor shall revise materiality for the financial
statements as a whole in the event of becoming aware of
information during the audit that would have caused the
auditor to have determined a different amount (or
amounts) initially.
• If the auditor concludes that a lower materiality for the
financial statements as a whole than that initially
determined is appropriate, the auditor shall determine
whether it is necessary to revise performance materiality,
and whether the nature, timing and extent of the further
audit procedures remain appropriate.

39
 3.2. Determination of materiality
3.2.4. Application of materiality
Planning the audit
• Determination of materiality for the financial statements
as a whole
• Determination of materiality level or levels for particular
classes of transactions, account balances or disclosures

40
 3.2. Determination of materiality
3.2.4. Application of materiality

Performing the audit

• Selecting significant items for substantive test.
• Considering revision of materiality in the event of becoming
aware of information during the audit that would have
caused the auditor to have determined a different amount
(or amounts) initially.

41
 3.2. Determination of materiality
3.2.4. Application of materiality
Revision as the Audit Progresses
• The auditor shall revise materiality for the financial
statements as a whole in the event of becoming aware of
information during the audit that would have caused the
auditor to have determined a different amount (or amounts)
initially.
• If the auditor concludes that a lower materiality for the
financial statements as a whole than that initially determined
is appropriate, the auditor shall determine whether it is
necessary to revise performance materiality, and whether the
nature, timing and extent of the further audit procedures
remain appropriate.

42
 3.2. Determination of materiality
3.2.4. Application of materiality

Completing the audit

•Are the FS items free from material misstatement
- Quantitative aspect
- Qualitative aspect
•Are the FS as a whole free from material misstatement?
- Quantitative aspect
- Qualitative aspect

43
3.3. The overall audit strategy & audit plan

3.3.1. The overall audit strategy

3.3.2. Audit plan

 3.3.1. The overall audit strategy

Planning an audit involves establishing :

(1) The overall audit strategy for the engagement

(2) Developing an audit plan.

Adequate planning benefits the audit of financial
statements in several ways
 3.3.1. The overall audit strategy

(1) An overall audit strategy

The auditor shall establish an overall audit strategy that sets
the scope, timing and direction of the audit, and that guides
the development of the audit plan (ISA 300).
In establishing the overall audit strategy, the auditor shall
(ISA 300):
a. Identify the characteristics of the engagement that
define its scope;
b. Ascertain the reporting objectives of the engagement to
plan the timing of the audit and the nature of the
communications required;
 3.3.1. The overall audit strategy

In establishing the overall audit strategy, the auditor shall:

c. Consider the factors that, in the auditor’s professional
judgment, are significant in directing the engagement
team’s efforts;
d. Consider the results of preliminary engagement activities
and, where applicable, whether knowledge gained on
other engagements performed by the engagement
partner for the entity is relevant; and
e. Ascertain the nature, timing and extent of resources
necessary to perform the engagement..
 3.3.2. Audit plan

(2) The audit plan is more detailed than the overall audit
strategy in that it includes the nature, timing and extent of
audit procedures to be performed by engagement team
members
Audit plan includes a description of:
(a) T h e n at u re , t i m i n g a n d ex te nt o f p l a n n e d r i s k
assessment procedures
(b) The nature, timing and extent of planned further audit
procedures at the assertion level
(c) Other planned audit procedures that are required to be
carried out so that the engagement complies with ISAs.
 3.3.2. Audit plan

Audit program

• Audit objectives for each section

• The nature, timing and extent of planned
further audit procedures at the assertion
level
• Estimated necessary time period for
completing each section
 3.3.2. Audit plan

Changes to Planning Decisions during the Course of the Audit

As a result of unexpected events, changes in conditions, or the

audit evidence obtained from the results of audit procedures, the
auditor may need to modify the overall audit strategy and audit
plan and thereby the resulting planned nature, timing and extent
of further audit procedures, based on the revised consideration of
assessed risks
 3.3.2. Audit plan

Changes to Planning Decisions during the Course of the Audit

This may be the case when information comes to the auditor’s

attention that differs significantly from the information
available when the auditor planned the audit procedures
3.4. Audit documentation

3.4.1. Permanent file

3.4.2. Current file

 3.4. Audit documentation
Definition

Audit documentation – The record of audit procedures

performed, relevant audit evidence obtained, and
conclusions the auditor reached

Audit file – One or more folders or other storage media, in

physical or electronic form, containing the records that
co m p r i s e t h e a u d i t d o c u m e ntat i o n fo r a s p e c i f i c
engagement
(ISA 230)
 3.4. Audit documentation
Objectives

The objectives of the auditor is to prepare documentation

that provides:
(a) A sufficient and appropriate record of the basis for the
auditor’s report; and
(b) Evidence that the audit was planned and performed in
accordance with ISAs and applicable legal and
regulatory requirements
 3.4. Audit documentation
3.4.1. Permanent file
• The permanent file is audit work papers containing all the
standing data which are of continuing interest from year
to year.

• The permanent file is intended to contain data of

historical or continuing nature pertinent to the current
audit. This file provides a convenient source of
information about the audit that is of continuing interest.
 3.4. Audit documentation
3.4.2. Current file

• The current work paper file contains all

documentation applicable to the year under audit

• The current file ordinarily includes client summary

information such as description of the client, client
industry, client internal controls and the auditor’s
materials.
 3.4. Audit documentation
Purpose of audit documentation and audit file
• Evidence of the auditor’s basis for a conclusion about
the achievement of the overall objectives of the auditor;
• Evidence that the audit was planned and performed in
accordance with VSAs and applicable legal and
regulatory requirements.
• Assisting the engagement team to plan and perform the
audit.
• Assisting members of the engagement team responsible
for supervision to direct and supervise the audit work,
and to discharge their
 3.4. Audit documentation
Purpose of audit documentation and audit file

• Enabling the engagement team to be accountable for its

work.
• Retaining a record of matters of continuing significance
to future audits.
• Enabling the conduct of quality control reviews and
inspections
• Enabling the conduct of external inspections
11/22/2023 59